Advertisement
Personal Data Protection Act 2010 [Act 709]

25 Applicable code of practice

(1) The Commissioner shall ensure that there is only one code of practice registered for a class of data users at a given time.

(2) All data users belonging to a class of data users shall comply with the relevant registered code of practice that is applicable to that class of data users at a given time.

(3) Where a code of practice is registered by the Commissioner under section 23 or 24, the Commissioner shall notify, in such manner as he may determine, the relevant class of data users to whom the code of practice is applicable-

(a) of the identity of the code of practice concerned and the date on which the code of practice is to take effect; and

(b) of the specific requirements under this Act for which the code of practice is issued and registered.


(4) If there is any uncertainty or ambiguity as to which code of practice is applicable to a particular data user or class of data users, the data user or person concerned may apply to the Commissioner for his opinion on which code of practice is the applicable code of practice in relation to the circumstances of
such data user or person.

(5) The Commissioner shall provide his opinion within thirty days from the date of receipt of an application made under subsection (4).

(6) The Commissioner shall, when making his opinion under subsection (5), take into account any relevant previous opinions, if any.

(7) The Commissioner may withdraw an opinion made under this section if the Commissioner is satisfied that the nature of the activity engaged by the data user has changed materially.

26 Revocation, etc., of code of practice

(1) The Commissioner may revoke, amend or revise, whether in whole or in part, any code of practice registered under this Act-

(a) on his own accord; or

(b) upon an application by the data user forum or such bodies representing the data users.


(2) The Commissioner shall, before revoking, amending or revising a code of practice under subsection (1), consult with-

(a) such data users or bodies representative of data users to which the code of practice shall apply, whether in whole or in part; and

(b) such other interested persons,


as the Commissioner thinks fit.

(3) Where any code of practice has been revoked, amended or revised under subsection (1), the Commissioner-

(a) shall enter the particulars of such revocation, amendment or revision in the Register of Codes of Practice; and

(b) shall notify the relevant data user forum, class of data users, data users and the public of such revocation, amendment or revision in such manner as may be determined by him.


(4) The Commissioner shall make available to the public any code of practice as amended or revised by him under this section.

27 Submission of new code of practice by data user forum

(1) A data user forum may submit a new code of practice to replace an existing code of practice.

(2) The new code of practice submitted in pursuance of subsection (1) shall be subject to the provisions of this Division.

28 Register of Codes of Practice

(1) The Commissioner shall maintain a Register of Codes of Practice in accordance with section 128.

(2) The Register of Codes of Practice shall contain-

(a) particulars of codes of practice registered under section 23 or 24 and any revocation, amendment or revision to such codes of practice under section 26; and

(b) any opinion made by the Commissioner under section 25, including particulars of withdrawal of previous opinions.

29 Non-compliance with code of practice

A data user who fails to comply with any provision of the code of practice that is applicable to the data user commits an offence and shall, on conviction, be liable to a fine not exceeding one hundred thousand ringgit or to imprisonment for a term not exceeding one year or to both.

Division 4 - Rights of data subject

30 Right of access to personal data

(1) An individual is entitled to be informed by a data user whether personal data of which that individual is the data subject is being processed by or on behalf of the data user.

(2) A requestor may, upon payment of a prescribed fee, make a data access request in writing to the data user-

(a) for information of the data subject's personal data that is being processed by or on behalf of the data user; and

(b) to have communicated to him a copy of the personal data in an intelligible form.


(3) A data access request for any information under subsection (2) shall be treated as a single request, and a data access request for information under paragraph (2)(a) shall, in the absence of any indication to the contrary, be treated as extending also to such request under paragraph (2)(b).

(4) In the case of a data user having separate entries in respect of personal data held for different purposes, a separate data access request shall be made for each separate entry.

(5) Where a data user does not hold the personal data, but controls the processing of the personal data in such a way as to prohibit the data user who holds the personal data from complying, whether in whole or part, with the data access request under subsection (2) which relates to the personal data, the firstmentioned data user shall be deemed to hold the personal data and the provisions of this Act shall be construed accordingly.

31 Compliance with data access request

(1) Subject to subsection (2) and section 32, a data user shall comply with a data access request under section 30 not later than twenty-one days from the date of receipt of the data access request.

(2) A data user who is unable to comply with a data access request within the period specified in subsection (1) shall before the expiration of that period-

(a) by notice in writing inform the requestor that he is unable to comply with the data access request within such period and the reasons why he is unable to do so; and

(b) comply with the data access request to the extent that he is able to do so.


(3) Notwithstanding subsection (2), the data user shall comply in whole with the data access request not later than fourteen days after the expiration of the period stipulated in subsection (1).

32 Circumstances where data user may refuse to comply with data access request

(1) A data user may refuse to comply with a data access request under section 30 if-

(a) the data user is not supplied with such information as he may reasonably require-

(i) in order to satisfy himself as to the identity of the requestor; or

(ii) where the requestor claims to be a relevant person, in order to satisfy himself-

(A) as to the identity of the data subject in relation to whom the requestor claims to be the relevant person; and

(B) that the requestor is the relevant person in relation to the data subject;

(b) the data user is not supplied with such information as he may reasonably require to locate the personal data to which the data access request relates;

(c) the burden or expense of providing access is disproportionate to the risks to the data subject's privacy in relation to the personal data in the case in question;

(d) the data user cannot comply with the data access request without disclosing personal data relating to another individual who can be identified from that information, unless-

(i) that other individual has consented to the disclosure of the information to the requestor; or

(ii) it is reasonable in all the circumstances to comply with the data access request without the consent of the other individual;

(e) subject to subsection (3), any other data user controls the processing of the personal data to which the data access request relates in such a way as to prohibit the first-mentioned data user from complying, whether in whole or in part, with the data access request;

(f) providing access would constitute a violation of an order of a court;

(g) providing access would disclose confidential commercial information; or

(h) such access to personal data is regulated by another law.


(2) In determining for the purposes of subparagraph (1)(d)(ii) whether it is reasonable in all the circumstances to comply with the data access request without the consent of the other individual, regard shall be had, in particular, to-

(a) any duty of confidentiality owed to the other individual;

(b) any steps taken by the data user with a view to seeking the consent of the other individual;

(c) whether the other individual is capable of giving consent; and

(d) any express refusal of consent by the other individual.


(3) Paragraph (1)(e) shall not operate so as to excuse the data user from complying with the data access request under subsection 30(2) to any extent that the data user can comply with the data access request without contravening the prohibition concerned.

33 Notification of refusal to comply with data access request

Where a data user who pursuant to section 32 refuses to comply with a data access request under section 30, he shall, not later than twenty-one days from the date of receipt of the data access request, by notice in writing, inform the requestor-

(a) of the refusal and the reasons for the refusal; and

(b) where paragraph 32(1)(e) is applicable, of the name and address of the other data user concerned.

34 Right to correct personal data

(1) Where-

(a) a copy of the personal data has been supplied by the data user in compliance with the data access request under section 30 and the requestor considers that the personal data is inaccurate, incomplete, misleading or not up-to-date; or

(b) the data subject knows that his personal data being held by the data user is inaccurate, incomplete, misleading or not up-to-date,


the requestor or data subject, as the case may be, may make a data correction request in writing to the data user that the data user makes the necessary correction to the personal data.

(2) Where a data user does not hold the personal data, but controls the processing of the personal data in such a way as to prohibit the data user who holds the personal data from complying, whether in whole or in part, with the data correction request under subsection (1) which relates to the personal data, the first-mentioned data user shall be deemed to be the data user to whom such a request may be made and the provisions of this Act shall be construed accordingly.


SEARCH LEGISLATION
Title:


Number:

ADS